anti ip spoofing technique - apricot€¦ · title: anti-ip-spoofing.ppt author: gaurab upadhaya...
TRANSCRIPT
Copyright (C) 2006 Internet Initiative Japan Inc. 1
anti IP spoofing technique
MATSUZAKI ‘maz’ Yoshinobu<[email protected]>
Copyright (C) 2006 Internet Initiative Japan Inc. 2
ip spoofing
creation of IP packets with sourceaddresses other thanthose assigned to thathost
Copyright (C) 2006 Internet Initiative Japan Inc. 3
Malicious uses with IP spoofing
• impersonation– session hijack or reset
• hiding– flooding attack
• reflection– ip reflected attack
Copyright (C) 2006 Internet Initiative Japan Inc. 4
impersonation
sender ip spoofed packet
victim
partner
dst: victim
src: partner
Oh, my partner sentme a packet. I’ll
process this.
Copyright (C) 2006 Internet Initiative Japan Inc. 5
hiding
sender
victim
ip spoofed packetdst: victim
src: random
Oops, many packetsare coming. But, who
is the real source?
Copyright (C) 2006 Internet Initiative Japan Inc. 6
reflection
senderip spoofed packet
reply
pac
ket
victim
reflectorsrc: victim
dst: reflector
dst:
victim
src:
refle
ctor
Oops, a lot ofreplies withoutany request…
Copyright (C) 2006 Internet Initiative Japan Inc. 7
ip reflected attacks
• smurf attacks– icmp echo (ping)– ip spoofing (reflection)– directed-broadcast amplification
• dns amplification attacks– dns query– ip spoofing (reflection)– DNS amplification
Copyright (C) 2006 Internet Initiative Japan Inc. 8
amplification
Sender
Sender
1. multiple replies
2. bigger reply
Copyright (C) 2006 Internet Initiative Japan Inc. 9
directed-broadcast amplification
Sender
icmp echo request
icmp echo replies
Copyright (C) 2006 Internet Initiative Japan Inc. 10
DNS amplification
Sender
ANY ?xxx.example.com
xxx.example.com IN TXT XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
DNS
Copyright (C) 2006 Internet Initiative Japan Inc. 11
attacker
ip reflected attacks
ip spoofed packets
repli
es
victim
openamplifier
Copyright (C) 2006 Internet Initiative Japan Inc. 12
smurf attack
ip spoofedping
ICMP echo replies
victim
Attacker
Copyright (C) 2006 Internet Initiative Japan Inc. 13
dns amplification attack
ip spoofedDNS queries
DNS replies
victim
DNSAttacker
DNS
DNSDNS
Copyright (C) 2006 Internet Initiative Japan Inc. 14
relations – dns amp attack
DNSDNS DNS
victim
Command&Control
DNS
DNS
stub-resolvers full-resolversroot-servers
tld-servers
example-servers
botnet
IP spoofedDNS queries
Copyright (C) 2006 Internet Initiative Japan Inc. 15
attacker
solutions for ip reflected attacks
ip spoofed packets
repli
es
victim
openamplifier
preventip spoofing
disableopen amplifiers
Copyright (C) 2006 Internet Initiative Japan Inc. 16
two solutions
• disable ‘open amplifier’– disable ‘directed-broadcast’– disable ‘open recursive DNS server’
• contents DNS server should accept queries fromeveryone, but service of resolver (cache) DNSserver should be restricted to its customer only.
• prevent ip spoofing!!– source address validation– BCP38 & BCP84
Copyright (C) 2006 Internet Initiative Japan Inc. 17
Source Address Validation
• Check the source ip address of ip packets– filter invalid source ip address– filter close to the packets origin as possible– filter precisely as possible
• If no networks allow ip spoofing, we caneliminate these kinds of attacks
Copyright (C) 2006 Internet Initiative Japan Inc. 18
our assumption
• ISP/network administrator assign ipaddress for their users.– dynamic or static– DHCP, connectivity service
• Users should use these assigned ipaddress as their source ip address.
Copyright (C) 2006 Internet Initiative Japan Inc. 19
close to the origin
10.0.0.0/23
10.0.3.0/24
You arespoofing!
Hmm, thislooks ok...but..
RT.a RT.b
You arespoofing!You are
spoofing!
srcip: 10.0.0.1
srcip: 0.0.0.0
srcip: 10.0.0.1
srcip: 0.0.0.0
×
××
srcip: 0.0.0.0×
You arespoofing!
srcip: 10.0.0.1×
You arespoofing!
Copyright (C) 2006 Internet Initiative Japan Inc. 20
how to configure the checking
• ACL– packet filter– permit valid-source, then drop any
• uRPF check– check incoming packets using ‘routing table’– look-up the return path for the source ip
address– loose mode can’t stop ip reflected attacks
• use strict mode or feasible mode
Copyright (C) 2006 Internet Initiative Japan Inc. 21
cisco ACL example
customer network 192.168.0.0/24
ip access-list extended fromCUSTMER permit ip 192.168.0.0 0.0.255.255 any permit ip 10.0.0.0 0.0.0.3 any deny ip any any!interface Gigabitethernet0/0 ip access-group fromCUSTOMER in!
point-to-point10.0.0.0/30
ISP Edge Router
Copyright (C) 2006 Internet Initiative Japan Inc. 22
juniper ACL example
customer network 192.168.0.0/24
firewall family inet { filter fromCUSTOMER { term CUSTOMER { from source-address { 192.168.0.0/16; 10.0.0.0/30; } then accept; } term Default { then discard; } }}[edit interface ge-0/0/0 unit 0 family inet]filter { input fromCUSTOMER;}
point-to-point10.0.0.0/30
ISP Edge Router
Copyright (C) 2006 Internet Initiative Japan Inc. 23
cisco uRPF example
customer network 192.168.0.0/24
interface Gigabitethernet0/0 ip verify unicast source reachable-via rx
point-to-point10.0.0.0/30
ISP Edge Router
uRPF
Copyright (C) 2006 Internet Initiative Japan Inc. 24
juniper uRPF example
customer network 192.168.0.0/24
[edit interface ge-0/0/0 unit 0 family inet]rpf-check;
point-to-point10.0.0.0/30
ISP Edge Router
uRPF
Copyright (C) 2006 Internet Initiative Japan Inc. 25
multistage verification
CustomerRouter
ISP EdgeRouter
uRPF
uRPF
Customer EdgeRouter
uRPF
• customers knowtheir network.
• good for precise filter
• We can filter spoofedtraffic at earliy stage.
Copyright (C) 2006 Internet Initiative Japan Inc. 26
uRPF - failures
• common failures– unused space– private space– wrong address
• asymmetric routing failures– multi-connected network– transit LAN
• special failures– private/non-routed backbone network
Copyright (C) 2006 Internet Initiative Japan Inc. 27
unused space
• if there is no filter,these packets keeplooping until ttlexpired....
• fix the routing!• add null routes on
the customer routercustomer network 192.168.0.0/24
ISP Edge Router
192.168.0.0/16 ×
src: 10.0.0.1dst: 192.168.1.1
default
uRPF
Copyright (C) 2006 Internet Initiative Japan Inc. 28
private space
• usual case
• bad implementationof NAT
• mis-configuration– router/firewall– networkhome network
(private address)
ISP Edge Router
NAT Router
×
NATdidn’twork
uRPF
Copyright (C) 2006 Internet Initiative Japan Inc. 29
wrong IP address
• mobile PC tryingtheir old IP
• mis-configuration– typo
• just spoofing
ISP Edge Router
×
customer network 192.168.0.0/24
ip: 10.0.0.1
uRPF
Copyright (C) 2006 Internet Initiative Japan Inc. 30
multi-connected network
ip address from ISP A192.168.0.0/24
ip address from ISP B172.16.0.0/24
ISP A ISP B
uRPF uRPF
src: 172.16.0.2
×
• PBR can fix this.
Copyright (C) 2006 Internet Initiative Japan Inc. 31
transit LAN
uRPF uRPF×
• packets to the router interface may filter
RT.1 RT.2src: externaldst: RT.2 interface
Copyright (C) 2006 Internet Initiative Japan Inc. 32
private/non-routed backbone
uRPFbackbone usingprivate address
• backbone hiding technique... but• icmp error messages will be filtered.
– traceroute can’t show the ISP1’s network– this also breaks PMTUD
ISP A ISP B
×
Copyright (C) 2006 Internet Initiative Japan Inc. 33
IIJ’s case
• discussion• router capability• policy• problems
Copyright (C) 2006 Internet Initiative Japan Inc. 34
internal discussion
• Do we need anti-spoofing in our network?– We heard a rumor that attackers don’t use ip
spoofing anymore in these days.
• Answer is YES.– ip spoofing is still used for attacks.
• dns amplification attacks– preparation for new attacks using ip-spoofing
Copyright (C) 2006 Internet Initiative Japan Inc. 35
kubo graph #1
Copyright (C) 2006 Internet Initiative Japan Inc. 36
kubo graph #2
Copyright (C) 2006 Internet Initiative Japan Inc. 37
router uRPF capability #1
• Cisco– uRPF loose/strict mode
• Cisco 72xx, 75xx– software processing....
• Cisco sup2, sup720– hardware support for uRPF/ACL – one uRPF mode per box
Copyright (C) 2006 Internet Initiative Japan Inc. 38
router uRPF capability #2
• Cisco 12xxx GSR– depends on engine type of line card– E0,E1: software processing– E2: per physical interface, exclusion ACL– E3: loose mode only– microcode reload...
Copyright (C) 2006 Internet Initiative Japan Inc. 39
router uRPF capability #3
• Juniper T/M– works fine – ‘feasible’ means ‘set of same length prefixes’
routing tableprefix pref.10.0.0.0/24 10010.0.0.0/24 120
routing tableprefix 10.0.0.0/2410.0.0.0/30
feasible non-feasible
Copyright (C) 2006 Internet Initiative Japan Inc. 40
router uRPF capability
• Cisco– depends on box/linecard– uRPF strict/loose mode are supported– some boxes use software processing
• additional 5~20% cpu load
• Juniper– works fine– need some hack to export cflowd data of
discarded traffic
Copyright (C) 2006 Internet Initiative Japan Inc. 41
our initial choice
• single homed user– simple – uRPF strict mode or ACL
• multihomed user– bgp customer(ISPs)– enterprise (need for redundancy)– uRPF loose mode
• ・・・ something is better than nothing
Copyright (C) 2006 Internet Initiative Japan Inc. 42
IIJ’s policy
peer ISP upstream ISP
customer ISP
multi homedstatic customer
single homedstatic customer
IIJ/AS2497
uRPF strict mode
uRPF loose mode
Copyright (C) 2006 Internet Initiative Japan Inc. 43
ACL and uRPF
• ACL– deterministic
• statically configured
– maintenance of access-list • uRPF
– easy to configure – care about asymmetric routing
• strict mode is working well only for symmetric routing• loose mode can’t stop the ip reflected attack• there are few venders support of feasible mode
Copyright (C) 2006 Internet Initiative Japan Inc. 44
problems
• uRPF/ACL works fine in most case. – bug, device capability, performance...
• less confidence for uRPF– operations know uRPF, but never use it.– test it!
• unaware of Source Address Validation– why do we need this?
Copyright (C) 2006 Internet Initiative Japan Inc. 45
Why do we need?
• Source Address Validation do NOT protectyour users from DoS/Attacks/Etc. directly.
• This reduce malicious activity.– sending ip spoofed packets from your
network.• If no networks allow ip spoofing, we can
eliminate these kinds of attacks.
Copyright (C) 2006 Internet Initiative Japan Inc. 46
bogon traffic
150Mbps
36Kpps6Kpps
1.8Mbps
Copyright (C) 2006 Internet Initiative Japan Inc. 47
please considerSource
AddressValidation
in your network
Copyright (C) 2006 Internet Initiative Japan Inc. 48
END